Application security

Application security enables security for the applications in the environment. This type of security provides application isolation and requirements for authenticating application users

In previous releases of WAS, when a user enabled global security, both admin and application security were enabled. In WAS V6.1, the previous notion of global security is split into administrative security and application security, each of which we can enable separately.

As a result of this split, WAS clients must know whether application security is disabled at the target server. Administrative security is enabled, by default. Application security is disabled, by default. Before we can enable application security, verify that administrative security is enabled. Application security is in effect only when administrative security is enabled.

An Application Server Enablement Tag, which is specific to WAS, is imported into the Interoperable Object Reference (IOR) to indicate if application security is disabled for the server where the object lives. This tag is server-specific and enables clients to know when application security is disabled at the target server of its request.

For Web resources, when application security is enabled, security constraints on those resources in web.xml are enforced. When accessing a protected resource, a web client is prompted for authentication.

For enterprise bean resources, when application security is disabled, the client Common Secure Interoperability version 2 (CSIv2) code ignores the CSIv2 security tags for objects that are unknown system objects. When pure clients see that application security is disabled, these clients prompt for naming lookups, but do not prompt for enterprise bean operations.


Related concepts

Administrative security


Related tasks

Enable security



Specify extent of protection wizard settings